VMware Cloud Community
stanj
Enthusiast
Enthusiast

vSphere STIG and DoD Discussion

I started the new thread so that others can contribute. Hopefully, we can use this thread to advise interested users when the vSphere STIG will be in draft or and final mode.:^0 I have been following the thread about the ESX script to pass DISA Security Review which provided good info for ESX 3.5. We may be installing vSphere 4.0 in the upcoming months in a DoD facility and will be required to use a DIACAP process to receive an ATO to allow the systems to be connected to a classified network. I am interested in the process that our DAA will need to investigate. I am assuming the ESX Stig will be a starting point as we start down the path for receiving our ATO?

Reply
0 Kudos
20 Replies
TomHowarth
Leadership
Leadership

We may be installing vSphere 4.0 in the upcoming months in a DoD facility and will be required to use a DIACAP process to receive an ATO to allow the systems to be connected to a classified network.

I am suprised as in the UK the MOD or any Central Government facility will not touch vSphere until it has passed Common Criteria. we are allowed to utilise a minor version release if it is in testing and an earlier minor has received certification, but major releases need full certifaction

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert

VMware Communities User Moderator

Blog: www.planetvm.net

Contributing author for the upcoming book "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://my.safaribooksonline.com/9780136083214]”. Currently available on roughcuts

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
michael_40catbi
Enthusiast
Enthusiast

Hello,

I've got a white paper on this that will help.

Please send an email to michael at catbird dot com

I'll reply with the white paper.

Michael

Reply
0 Kudos
stanj
Enthusiast
Enthusiast

Currently, DoD facilites using VMware ESX 3 have followed the as the base line for receiving approval to operate in a DoD facility.

There are a few VMware white papers showing that VMware is being used by DoD like

What is the white paper about with regard to granting a DoD facility approval to run VMware is a secure facility?

Can you provide a link to the White Paper or attach it?

thanks

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

I would contact the owners of the current STIG, I imagine they are working on what needs to happen with vSphere. The problem is that it is like starting over, while the guidance in the current STIG still applies there are new things to consider now.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
TomHowarth
Leadership
Leadership

That VMware paper you linked too relates to VI3 not vSphere, so my point still stands, Yes both the DoD and MOD are utilising VMware ESX but it is the VI3 version not the vSphere one. you will be hard pushed to get it in a military establishment, before the common critiea statement has been published, you may and this is a very big may. get them to look at it in a POC environment. but it will not go anywhere near their prod systems. Yes vSphere is more secure the VI3 but that is not the issue here. it is about accountability.

VI3 has common criteira certifications and a know process of hardening. even though vSphere has Nexus (another none certified product) and vShields ( Another non-certified product) these are unknown entities to the relevant departments.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert

VMware Communities User Moderator

Blog: www.planetvm.net

Contributing author for the upcoming book "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://my.safaribooksonline.com/9780136083214]”. Currently available on roughcuts

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
stanj
Enthusiast
Enthusiast

I contacted the DISA FSO.

Here is the status and direction so far for vSphere:

VMware is currently working on developing security guidance for ESX4 and 4i.

This is a consensus effort between DISA and VMware.

The projected completion date is January 2010.

The ESX4 STIG will just be a Checklist update addressing the differences ESX3 and ESX4.

In the meantime, Sections 3 and 4 of the ESX Server Checklist would still be applicable to the ESX4 environments.

In the absence of any guidance, CIS benchmarks or vendor security guides are to be used

I will post any additional information I receive.

Reply
0 Kudos
Ares7
Contributor
Contributor

Is this a separate project from the Common Criteria?

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Common Criteria is quite a bit different and handled by a company outside of the US, I believe in Canada. But that aside, there are different goals for CC vs DISA vs CIS vs VMware.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
ukitus
Contributor
Contributor

Just found this thread on the vSphere STIG.

Has any progress been made? Latest Status?

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

I believe DISA is waiting on VMware which has early guidance but nothing final. The latest Virtualization Security Podcast covered the guidance in detail.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
hayb
Contributor
Contributor

Common criteria is an international standard regarding design assurance. It is of limited value at EAL4 and below, mainly a documentation game.

DISA STIGs are security configuration guides, with checklists to ensure hardening.

Reply
0 Kudos
strangeone
Contributor
Contributor

I have a script for 3.5 and 4.0 but, I would also say that most of my DOD customers have started requiring ESXi, which allows you to drop the UNIX/Linux STIG requirements from the mix. At 340 controls for (UNIX/Linux) for a DISA STIG, this is a significant change in the work required to get an iATO or a full ATO. Believe me that still leaves work to do but,since ESXi is VMware's own direction (roadmap) as well it only makes sense.

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

ESXi is not quite an appliance, yet, there are still Posix or *NIX style controls required to make it secure. To secure ESXi there are still many steps to take that are just not really score-able with a SRR or some other script. Many things are, but many are still not and relate to the rest of the virtual environments impact on the ESXi host.

It really depends on Scope and if the Scope of the STIG for ESX/i v4 is the same as ESX/i v3.x then there are still a few gaps.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
argenfarg
Contributor
Contributor

I have been researching how to get ESX 4 accredited on my DoD network. The only hole left is how to configure lockout after a number of failed logins to the ESX console. PAM seems to be there, but pam_tally isn't. Is t here an alternate method?

thanks.

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

pam_tally and pam_tally2 exist on my ESX v4 hosts. Do you mean ESXi perhaps?


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
dmustakasjr
Contributor
Contributor

My unfortunate experience with C&A in the government workspace is that they "scan" using SRR(as you mentioned), Retina, etc... which does not notice anything unsecure on ESXi. There are perhaps some false-positives as it does not find expected files for which the deployment InfoSec personnel will write a POAM. The result: PASS. Granted it has been several months since I was working in a deployed environment, scanning for vulnerabilities and SRR and other products have updated releases.

Here is a link to the page with the ESX server checklist (Oct 2009) http://iase.disa.mil/stigs/checklist/index.html & ESX server STIG (April 2008) http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf . Both are very outdated and if they are the current mandatory qualifications I dont see how ESXi wont be approved for use in more environments, even right out of the box.

My advice: use the checklist and STIG currently in place, scan with the current ver. of SRR, write POAMs for false-positives (all of which should get your design approved for deployment) and dont forget to actually follow best practices and secure it Smiley Happy

vRico Virtualization Enthusiast VCP 3&4, MCITP EA and a bunch of other stuff
Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

The SRR for ESX will pretty much ignore ESXi... THat is a problem with the outdated SRR. But ESXi has less things to configure so has less SRR items. There are some new items in ESXi v4 that were not in v3 so they should be verified and password complexity, etc is one of them.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
TonjaH
VMware Employee
VMware Employee

Since I can't say I really understood this discussion, is it fair to say there are no new DOD STIGS yet available for vShpere 4.x? I have a customer asking about this and I'm not sure what to tell them. My searches on the net have come up pretty empty to this point.

Thanks for the insight.

Tonja

Reply
0 Kudos